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Abstract 

Let I be a language decided by a constant-round quantum Arthur-Merlin (QAM) protocol 
with negligible soundness error and all but possibly the last message being classical. We prove 
that if this protocol is zero knowledge with a black-box, quantum simulator S, then L G BQP. 
Our result also applies to any language having a three-round quantum interactive proof (Ql P) , 
with all but possibly the last message being classical, with negligible soundness error and a 
black-box quantum simulator. 

These results in particular make it unlikely that certain protocols can be composed in parallel 
in order to reduce soundness error, while maintaining zero knowledge with a black-box quantum 
simulator. They generalize analogous classical results of Goldreich and Krawczyk (1990). 

Our proof goes via a reduction to quantum black-box search. We show that the existence of a 
black-box quantum simulator for such protocols when L BQP would imply an impossibly-good 
quantum search algorithm. 
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1 Introduction 



A zero-knowledge (ZK) protocol for language L allows a prover to convince a verifier the member- 
ship of an input x in L, without disclosing any extra information. That is when x € L, anything 
efficiently computable after interacting with the prover could also have been efficiently computed 
without the interaction. Such protocols play a central role in cryptography. However, practical 
protocols must be both secure and round-efficient. Parallel composition is a common technique for 
reducing the error probability of an interactive protocol without increasing the number of rounds, 
and therefore one is interested in parallel-composing ZK protocols while maintaining the ZK prop- 
erty. However, Goldreich and Krawczyk [1] proved that only BPP languages have three-round 
interactive proofs with negligible soundness error, that are black-box- simulation ZK. This pre- 
cludes parallel composition of the well-known three-round ZK protocols for Graph Isomorphism 
while maintaining black-box zero knowledge, unless the language is in BPP. Moreover, [1] also 
precludes parallel composition of any constant-round Arthur-Merlin (AM) black-box-simulation 
ZK protocols except for languages in BPP. 

Precise definitions of these terms, and of the other classes that we will informally introduce 
in this section, are given in lScction 21 Roughly, the concept of zero-knowledge is formalized by 
requiring an efficient simulator that produces a probability distribution indistinguishable from the 
distribution of the original verifier's conversations with the honest prover. Black-box-simulation 
ZK means that the simulator is only allowed to call the verifier as a black-box subroutine. In an 
AM protocol, the verifier's messages are fair coin tosses. 

In this work, we revisit the problem of parallel composition of black-box-ZK protocols from 
the perspective of quantum computation, and find that the impossibility results of [1] extend even 
to certain quantum cases. Quantum computation has significant consequences for cryptography, 
especially since exponential speedups by quantum computers have been found for problems that 
are crucial in current cryptographic systems. In the specific context of zero knowledge, quantum 
computers raise several interesting questions: 

1. Quantum simulators: What happens if one weakens the zero-knowledge requirement 
to say that, if x € L, anything efficiently computable after interacting with the prover, 
could also have been efficiently computed on a quantum computer without the interac- 
tion? In other words, we allow the black-box simulator to be a quantum computer and 
ask if round-efficient ZK protocols can exist for a larger class of languages than BQP (refer 
to lDcfinition 6[) . It is encouraging that black-box quantum simulators are known to be more 
powerful than black-box classical simulators in some settings. For example, Watrous [2] has 
given a black-box quantum simulator for the standard three-round Graph Isomorphism pro- 
tocol that succeeds with probability exactly one, whereas classical simulators for the same 
protocol succeed with probability only approaching one. Perhaps quantum exact simulators, 
as in [2], could be helpful in maintaining black-box ZK under parallel composition. 

2. Quantum messages: What happens for protocols with quantum messages? We know 
that every quantum statistical zero-knowledge (QSZK) language has a black-box quantum- 
simulation zero-knowledge, three-round quantum Arthur-Merlin (QAM) protocol [2,3]Q 
The soundness error of these protocols is exponentially close to 1/2. If the [1] result extends 
to the QAM case, then this would give strong evidence against parallel repetition of QAM 
protocols to reduce soundness error to be exponentially small, unless BQP ~ QSZK. 

1 The first and third messages of the QAM protocol are quantum, and the second message, from the verifier, is a 
classical coin flip. See IDcfinition 31 
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Our Results: 

We answer the first question above and make partial progress on the second. We prove that only 
BQP languages have three-round interactive protocols (IP) (see IThcorcm 2j) . or constant-round 
AM protocols (see ITheorem 3|) . that have negligible soundness error and are black-box quantum 
simulation ZKo Our results also hold if the last message from the prover in these protocols 
is a quantum message. In particular, only BQP languages have black-box quantum-simulation 
ZK, negligible-soundness, three-round QAM protocols with the first two messages being classical. 
We show our results for computational zero knowledge and therefore they apply as well for the 
stricter notions of statistical and perfect zero knowledge. 

Our Techniques: 

Let us now briefly discuss our techniques and the central idea of reduction to search. For sim- 
plicity, assume a three-round QAM protocol II for a language L with all three protocol messages 
being classical but a quantum verifier (see IDefmition 3[) . Assume that II is black-box-simulation 
QCZK with negligible soundness error. We prove L G BQP by exhibiting an efficient quantum 
algorithm Z that decides the language L. Even though a similar algorithm works in the classical 
case studied by Goldreich and Krawczyk, our analysis of Z is quite different from the analysis 
in [1]. For comparison, we therefore sketch the idea of the algorithm and of its analysis in this 
section. The formal details appear in lScction 31 

Throughout the paper, we use capital letters to represent random variables, and lower-case 
letters to represent individual strings. For a random variable A, we let A also represent its 
distribution. 

Idea of the algorithm Z: Let x be the input whose membership in L needs to 
be decided. Since the protocol II is QCZK, there exists a simulator S with running 
time t polynomial in \x\. Let H be a random variable uniformly distributed in H(2t + 
1), where H(2i + 1) is a strongly (2t + l)-universal family of efficiently computable 
hash functions from {0, l}" 1 to {0, l}" 2 , where ni, ri2 are the lengths of the first and 
second messages, respectively, in II (sec IDcfinition 8} . For h G H(2t + 1), let Vh 
represent a verifier who, if the first message is a, replies with h(a). Run S on the 
random verifier Vh and measure <S's output in the computational basis to obtain 
the (random) transcript (A, B, C); representing the prover Merlin's first message, the 
verifier Arthur's response and Merlin's second message, respectively. Run Arthur's 
acceptance predicate on the modified transcript (A,H(A),C), and declare x G L if 
and only if it accepts. 

We claim that Z accepts inputs x G L, and rejects inputs x ^ L, with good completeness and 
soundness parameters ( see IDcfinition 3p . 

Sketch of proof: For x G L, by using the zero- knowledge property of L and properties of the 
family of hash functions H(2t + 1), it can be verified that the algorithm Z accepts with good 
probability. We do not elaborate this case here. Instead we focus on the more interesting case 
of x L. We show that if the algorithm Z accepts a string x ^ L with probability e, then there 

2 As every BQP language has a zero-round protocol with a quantum verifier, which is trivially quantum-simulation 
black-box ZK, this result characterizes the class BQP. 
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exists a cheating Merlin who fools the honest Arthur with probability fl(e/t 2 ). This contradicts 
the protocol's soundness being non-negligible for e constant and t polynomial]! 

The cheating Merlin M* is designed as follows. Since the algorithm Z accepts x ^ L with 
probability e, the modified transcript (A,H(A),C) satisfies Arthur's acceptance predicate with 
probability e. Therefore, a natural intention of Ai* could be to act so that the transcript of 
the actual interaction is distributed "close" to (A, H(A),C). Ai* can start by sending the first 
message A' (A' 6 {0, l}™ 1 )* such that A' is distributed identical to A. Now Arthur, being honest, 
replies with message B' uniformly distributed in {0, l}™ 2 and independent of A' . Now, we cannot 
show that the distribution of the first two messages {A 1 , B 1 ) is either the same, or even close in 
l\ distance to the distribution of (A,H{A)). In particular, H(A) is not necessarily independent 
of A. 

However, using properties of the family H(2i + 1), we will argue below that H(A) is "well 
spread out," i.e., has sufficiently high min-entrop^ even conditioned on the value of A. This 
means that [A',B') can be "closely coupled" to (A,H(A)). For two distributions P and Q, by 
saying that P can be closely coupled to Q, we mean that the probabilities of Q, scaled down by 
t 2 , are point wise less than the corresponding probabilities of P. Note that then if a predicate 
accepts Q with probability e, it also accepts P with probability e/t 2 . 

Let us define random variable C such that for all a g {0, l}" 1 , ft G {0, l}" 2 , (C'\{A' = a, B' = 
ft)) = (C\(A = a,H(a) = (3)). If the first and second messages are a, ft respectively, then Ai* 
sends the third message distributed according to C'\(A' — a, B' — ft). Due to this strategy of 
Ai*, the transcript of the actual interaction (A' , B',C), remains closely coupled to the modified 
simulated transcript, (A, H{A) 1 C). Since wc have assumed that the modified simulated transcript 
(A,H(A),C) satisfies Arthur's acceptance predicate with probability e, from property of closely 
coupled distributions that we mentioned above, Arthur is fooled to accept the actual transcript 
(A',B',C) with probability at least e/t 2 . 

Since B' is uniform and independent of A', in order to show that [A',B') can be "closely 
coupled" to (A,H{A)), it can be verified that it is enough to show that H (A) has high min- 
cntropy even conditioned on the value of A. Indeed, the main technical lemma of our paper, 
ILcmmaTl shows that the simulator S, which can be thought of as making at most t queries to H 
and outputting A (in which case H, A become correlated random variables), cannot cause H(a) 
to have high min-entropy for most a distributed according to A. By definition of min-entropy, 
this means for most a, for any ft, the probability Pr[H(a) = ft\A = a] is small. In order to 
provide some intuition, let us assume S' is some classical algorithm making at most t queries to 
a random function F, chosen uniformly from the set of all functions from {0, l}" 1 to {0, l}™ 2 and 
outputting A £ {0, l}™ 1 . We show the following weaker statement; that is for all ft £ {0, l}™ 2 , 

Pr[F(A)=ft] < f -±±. (1) 

Let us fix a ft. The goal of S' is now to maximize Pr[F(A) = ft]. This can be viewed as a search 
problem. It is easy to see that the optimal procedure for S' is: 

Make t different queries to F. If any response is ft then output the corresponding 
queried location. Otherwise, output any new location. 

3 In the classical case, the cheating Merlin's success probability is Q.(e/t), so a quantum black-box simulator can be 
no more than quadratically more efficient. 

4 For a distribution X taking values in X, min-entropy of X is defined to be min^e.* — logPrLY = x]. 
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Eq. (1) is now immediate. Note that, since S' makes at most t queries to F, this procedure would 
also be optimal with the same probability of success even if F were only drawn uniformly from a 
strongly (i + l)-universal family of hash functions. In lLcmma 1| since S is a quantum algorithm 
and we need to show a stronger statement, the proof takes a different track. However, it also 
uses a reduction to the black-box search problem. □ 
Here, we would like to point out the main differences between our analysis and the analysis 
in [1]: 

1. The algorithm in [1] constructs the responses of a random function on the fly, as queries 
from S to verifier arrive. Quantumly, however since S is a BQP machine, queries can come 
in superposition, and it is difficult to reply to them as a consistent, uniform random function 
F, i.e., map J2 X a x\ x ) l— * J2 X a x\x}\F(x)}. It is not even possible to sample efficiently from 
the set of all functions from {0, l}" 1 to {0, l}" 2 , since n\,n<x are polynomial in \x\. This is 
why we must use a random hash function H drawn uniformly from H(2t + 1), which is a 
much smaller family. However since H still has (2t + l)-wise independence, it suffices for 
our purposes. 

2. The more important difference is that [l]'s arguments, showing that if their algorithm ac- 
cepts an x L with good probability then there exists a good cheating prover, are essentially 
combinatorial. They can be phrased as inserting the honest Arthur into a random query 
round of the simulator. Our arguments however cannot rely just on classical combinatorics, 
and a careful rephrasing (as sketched above) is needed to reduce the analysis to quantum 
search lower bounds. Since for the purpose of efficiency, we are forced to provide the input 
to the search algorithm, from a source of limited independence, a technical contribution of 
this work is also in showing that search is hard on average for such inputs as well. 

We would like to clarify one more aspect of the algorithm Z. Why docs Z use Vjj, instead of 
running the simulator S on the honest Arthur? The reason is that the zero knowledge property 
of L only restricts 5's behavior for x £ L. However as we argued above, for x £ L 7 we still want 
to be sure that iS's output has high min-entropy, even conditioned on its first message. Using an 
efficiently computable hash function as a verifier in the algorithm Z, gives us some control on 
5's output even when x (fc L; we can guarantee that the second message in <S's output is correct, 
and therefore not too concentrated. Using a hash function works for the x € L case too, because 
the transcript of interaction with Vh (averaged over randomness in H) is distributed the same 
as the transcript with the honest Arthur. 

Finally, the generalization to constant-round AM protocols goes through along similar lines. 
These arguments also go through for three-round interactive protocols, by running the simulator 
on deterministic verifiers that use as their (private) random coins the hash of the prover's first 
message. 



1.1 Organization 

We make the necessary definitions including of our models in lSection 21 In lSection 31 we give the 
proof for three-round QAM protocols. We then generalize this proof in two directions. First, we 
extend its validity to three-round quantum interactive QIP (private-coins) protocols in lSection 51 
Next, in IScction 61 we generalize it to constant-round QAM protocols, requiring slightly more 
involved notation. In lSection 71 we conclude with some open problems. 
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2 Preliminaries 



We call a function S negligible, S G ncgl(n), if for every positive polynomial p, S(n) = 0(l/p(n)). 
Let poly(n) denote the set of functions that are each 0(p(n)) for some polynomial p. We call an 
algorithm efficient if it can be run on a classical or quantum Turing machine (depending on the 
context) whose running time is at most polynomial in the input length. 

We often use the following brief notation. Say Xi and Xi are random variables taking values 
in X. Let x\, X2 represent elements of X. Then we write, for example, PrLYi = X%] to mean 
Pt(x 1 ,x 2 )^(x 1 ,Xv)Ixi = ^2]- For better familiarity with the usual conventions and notations 
concerning random variables and other concepts of probability theory please refer to [4]. 

2.1 Quantum Oracle 

Definition 1. A quantum oracle Uf for a function f : {0, l}™ 1 — * {0, l}™ 2 is the unitary taking 

|z>|o>-|x)|ae/(s)} , (2) 
for any x G {0, l}" 1 and a G {0, l}" 2 . Here, © is the bitwise exclusive-or operation. 

Note that Uf is its own inverse, so oracle access to Uf and UJ 1 is no more powerful than 
oracle access to just Uf. 

Below we provide brief definitions of classical and quantum Interactive Proofs, Arthur-Merlin 
protocols, Zero-knowledge protocols etc. For more detailed and precise definitions please refer 
to [2,3,5,6]. 

2.2 Interactive proofs (IP) and Arthur-Merlin protocols (AM) 

A classical interactive proof (IP) for a language L is a classical communication protocol between 
two parties, the prover V and the verifier V. Both parties receive the input x. They exchange 
messages, and the verifier finally outputs "accept" or "reject." The verifier V's running time is 
bounded by a polynomial in the length of x, but there are no efficiency constraints on V . The 
protocol should satisfy completeness and soundness requirements for some constants e Cl e s > 
with e c + e s < 2/3: 

1. If x G L, then the verifier V accepts with probability at least 1 — e c . 

2. If x (£ L, then no cheating prover V* can make V accept with probability more than e s . 

An AM protocol is a special kind of interactive proof in which the verifier's messages are 
restricted to be uniformly random coin flips, which arc independent of each other and of prover's 
messages. 

2.3 Quantum Arthur-Merlin protocol (QAM) 

Similar to IP and AM, we can also define quantum analogs, QIP and QAM, where quantum 
messages are exchanged, and the verifier can apply quantum operations. For most parts in this 
paper, we are concerned with special three-round quantum Arthur-Merlin (QAM) protocols in 
which only the third message, from the prover, is quantum. Therefore, we describe in detail 
only such protocols in IDcfinition 31 below. The details for the special three- round QIP protocols 
and special constant round QAM protocols, with only the last message being quantum, that we 
are also concerned with in this paper, can be inferred easily from IDcfinition 31 in an analogous 
fashion. We begin with the following definition. 
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Definition 2 (Quantum predicate). A quantum predicate is a two-outcome measurement given 
by an operator E, < E < I . When applied on a quantum state p, the probabilities of the two 
outcomes, accept and reject, are TrEp and Tr(I — E)p, respectively. The predicate is efficient if 
it can be implemented in polynomial time by a quantum Turing machine. 

Definition 3 (Special QAM protocol). In a three-round quantum Arthur-Merlin (QAM ) protocol 
(A, M.) for language L, with the first two messages being classical, verifier Arthur (A) and prover 
Merlin (M ) are each given the input x € {0, 1}". Then, 

1. Merlin sends Arthur an a £ {0, l}™ 1 . 

2. Arthur replies with a uniformly random (3 £ {0, l}™ 2 , independent of the first message. 

3. Merlin sends p, a quantum state, and Arthur decides to accept or reject based on an efficient 
quantum predicate (depending on x) on the "transcript" \ot){a\ ® ® p. 

Here n\,n<x £ poly(n) and p is a state on poly(n) qubits. Note that there are no efficiency 
requirements on Merlin. For convenience, we will let (a, (3, p) denote the transcript. We will also 
write "A accepts" to mean that Arthur's predicate accepts. Let {A, Ai){x) denote the distribution 
of protocol transcripts (a, (3, p) between Arthur A and Merlin M. . We will also refer to (A, M) (x) 
as the verifier's view in this protocol. The protocol satisfies, for some constants e c ,e s > with 
e c + e s < 2/3: 

• Completeness: If x £ L, Pr(„4 accepts (A,M)(x)) > 1 — e c . 

• Soundness: Ifx ^ L, then for any possibly cheating Merlin M* , Pr(^4 accepts (A, M*)(x)) < 

In the special three- round QIP protocols that we consider between prover V and verifier V, 
the verifier's view on input x consists of its private coins together with the transcript of the 
interaction. We denote the random variable of this view by (V , V)(x). 

2.4 Zero knowledge 

Informally, as we have stated earlier, a zero-knowledge proof for a language L is an interactive 
proof for L such that if x € L, then the verifier, no matter what it does, can "learn nothing" 
more than the validity of the assertion that x £ L [6,7]. For a cheating verifier V*, the notion of 
it not "learning" more is formalized, in the context of the protocols that we consider, using the 
definitions as follows. 

Definition 4 (Computationally indistinguishability). Two transcript distributions A and B on 
n classical or quantum bits, are said to be computationally indistinguishable if for any efficient 
quantum predicate M running in time polynomial in n, 

\Pi[M accepts A] — Pr[M accepts B]\ € negl(n) . 

Definition 5 (Quantum computational zero knowledge). An interactive protocol IT (of the special 
kinds that we consider) for language L, with prover V and verifier V, is computational zero 
knowledge if for every efficient verifier V* there exists an efficient quantum algorithm S v , called 
the simulator, as follows. Let S v (x) be S 's output on input x representing verifier's view in the 
protocol between V and V*. Then for all x G L, the distributions of S v (x) and of verifier V* 's 
actual view (V ,V*)(x) while interacting with V are computationally indistinguishable. 
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Definition 6 (Black-box quantum computational zero knowledge). An interactive protocol II (of 
the special kinds that we consider), is black-box quantum computational zero knowledge if there 
exists a single simulator S that works for all efficient verifiers V* , and that uses the verifier V* 
only as a black-box oracle. That is, the access of S to V* is limited to querying V* and receiving 
the response. 

The following remarks are in order: 

1. Perfect zero knowledge and statistical zero knowledge arc two stronger notions of zero 
knowledge that require the distributions of S v (x) and of (V, V*)(x) to be the same or 
statistically indistinguishable, respectively. In the case of perfect zero knowledge, the sim- 
ulator is additionally allowed to output "failure" instead of a transcript with probability 
< 1/2. 

2. Unlike the special quantum protocols that we consider, in which only the last message 
is quantum, for protocols with more quantum messages, the definition of quantum zero 
knowledge needs changes. For precise definitions, please refer to [2,3]. 

3 Three-round QAM protocols with the first two messages 
classical 

In this section we present our result for three-round QAM protocols, IThcorcm 11 

Theorem 1. Let L be a language with a three-round QAM protocol H with the first two messages 
classical, as in \Definition 3\ having completeness and soundness errors e c and e s , respectively. 
Assume that II is a black-box, quantum computational zero-knowledge protocol. Let S be the 
simulator with a running time bounded by t. Ift^ftl = o(l — e c — ncgl(n)), then L is in BQP. 

In particular, if e s is negligible and e c a constant, then L £ BQP. 

Although IDcfinition 61 requires a simulator that works for all efficient verifiers V*, the proof 
of IThcorcm 11 will only require that the simulator S works for a limited set of verifiers, verifiers 
that essentially just apply a fixed function to the prover's message to determine their reply 

Definition 7. For h : {0, l}" 1 — > {0,1}" 2 , let V/j represent a dishonest verifier who replies 
deterministically [3 = h(a) on message a, and uses the same acceptance predicate as used by 
Arthur A. 

In fact, in order for lThcorcm ll to hold, the simulator S only has to work for the set of cheating 
verifiers {V^ : h € H}, where H is a certain strongly t-universal family of hash functions: 

Definition 8 (Strongly t-universal family of hash functions). A set H of functions from {0, l}™ 1 
to {0, l}™ 2 is a strongly t-universal family of hash functions if for H chosen uniformly from H, 
the random variables {H(a) : a <G {0, l}™ 1 } are t-wise independent and each H(a) is uniformly 
distributed in {0, l}™ 2 . 

For all positive integers ni,Ti2,t, there exists a strongly t-universal family H(ni,7i2,t) of 
efficiently computable hash functions {0, l}™ 1 — > {0, l}" 2 [8-10]. 

With these definitions out of the way, we are ready to prove IThcorem II 

Proof of \Theorem 1[ The proof goes by presenting and analyzing the following efficient algorithm 
Z for deciding membership in L: 
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Algorithm Z: Input x £ {0, 1}", Output accept /reject. 

1. Draw H uniformly from H := H(jii, n 2 , 2t + 1). 

2. Run S on Vh with input a;. Consider the three output registers, corresponding 
to the prover's first message, the verifier's response, and the prover's second 
message, respectively. In order to ensure that the first two messages in the 
simulated transcript are classical, measure the corresponding registers in the 
computational basis. Let A and B be the respective random variables ob- 
tained after the measurement, and let C be the contents of the third register 
after the measurement. Note that C is a random quantum state correlated 
with A and B. The output simulated transcript is then (A, B, C). 

3. Compute H{A). Run A's acceptance predicate on the modified simulated 
transcript (A, H(A), C), and accept if and only if the predicate accepts. 

Algorithm Z runs in polynomial time, since running S, choosing and evaluating a hash 
function in H, and running Arthur's acceptance predicate are all efficient. We claim: 

Claim 1. For x e L. Pr[Z accepts x] > 1 — e c — negl(n). For x ^ L, Pr[Z accepts x] = 0(t«Je2). 

IThcorcm 11 follows immediately from lClaim 11 □ 

Proof of \Claim~l\ The first two steps of algorithm Z define a joint distribution for (H, A, B, C). 
Here, A, B are random variables taking values in binary strings, H is a random hash function, 
and C is a random density matrix. Note that the algorithm does not use B, the simulated second 
message. Z's acceptance probability is, from step 3, 

Pr[Z accepts x] = Pr[A accepts (A, H(A), C)] , 

where the probability is over the joint distribution of (H, A, B, C), and also over any randomness 
in the acceptance predicate of A. 

Case x e L: Let x 6 L. Our aim is to relate Pr[Z accepts x) to PrL4 accepts (A, A4)(x)], which 
is at least 1 — e c by the completeness criterion. We compute 

Pr[Z accepts x] = Pr[A accepts (^4, H(A), C)] 

= w\Yl Pr ^ acc °p ts ( A > h ( A )> C ^ H = ft ] 

> — V Pr[A accepts (A, B, C) A h{A) = B\H = h] (3) 
1 1 heu 

since H is uniform on H, and since adding the check h(A) = B can only reduce the probability. 

Note that (A, B,C)\(H = h) is the distribution of the simulator's output on verifier Vh, after 
measuring the registers corresponding to the first two messages. Let (V^, M)(x) denote the dis- 
tribution of protocol transcripts between verifier Vh and Merlin M on input x (see IDcfinition 3jl . 
By the computational zero-knowledge assumption, the acceptance probability of any efficient 
predicate on (^4, B, C)\(H = h) can differ from the acceptance probability of the same predicate 
on (Vh, A4)(x) only by a negligible amount. In particular this holds for the following efficient 
quantum predicate E: on three-register input p, measure the first two registers, and accept iff 
(^4 accepts p A h (first register) = second register). Now, on (Vh, M)(x), the second message is 



S 



by definition h of the first message, so the event (E accepts (Vh,-M)(x)) reduces to the event (^4 
accepts (Vh> ■M)(x)). Therefore, continuing from Eq. (|3|) we have: 

Pr[Z accepts x] > ^ Pr[A accepts (A, B, C) A h(A) = B\H = h] 
' ' hen 

= m £ Pt[e accepts (A B ' = h] 

- W| X! Pr [ jB acce P ts (Vft,^l}(a;)] - negl(ra) 
' ' hem 

= Pl '^ accc P ts {Vh,M)(x)] - negl(ra) 

= Pv[A accepts (Vh,M)(x)] - negl(n) . 

Finally, since H is drawn from a strongly (2i+l)-univcrsal hash family, for each a, H(a) is uni- 
formly distributed. Therefore, the transcript (Vjj> M){x) is distributed identically to (A, M){x); 
in either case, the second message is uniformly distributed and independent of the first message. 
We conclude 

Pr[Z accepts x] > Pr[A accepts (Vh, JA)(x)] — negl(ra) 

= Pr[A accepts (A, M)(x)] - negl(n) (4) 
> 1 — e c — negl(n) . 

Case x ^ L: Let x^L. Let q := Pr[Z accepts x] = Pr[A accepts (A, H(A),C)}. Consider the 
following cheating Merlin M*. 

Cheating Merlin M* Recall the joint distribution (H, A, B,C) defined by Z. 
Note that H, A need not be independent in this joint distribution. 

1. On input x, send an a drawn according to A. 

2. On receiving A's message /3, send back the quantum state C\(A = a, H(a) = 
(3) to Arthur. If Pv[H(a) = 0\A = a) = 0, then send state |0)(0|. 

Note that sampling from the conditional distribution C\(A = a, H(a) = (3) may not be efficient. 
However, A4* is not required to be efficient. 
The cheating probability of A4* is exactly 

Pr[„4 accepts (A,M*)(x)] 

V Pr[A = a]— Pr[A accepts (a,j3, (C\A = a,H{a) = (3))] . (5) 
z — j 2 n2 

(a,/3)e{0,l}"i+"2 

The factor of 1/2™ 2 is the probability with which Arthur replies with a given (3. By the soundness 
criterion, A4*'s cheating probability is upper-bounded by e s . 

Intuitively, Ai* is only successful if the uniform distribution of (3 has sufficient overlap with 
the distribution of H(a) from the simulator's output, at least for most a drawn according to 
A. Then the two distributions can be coupled, relating Arthur's acceptance probability while 
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interacting with M* to q. An extreme counterexample might be that conditioned on A = a: 
H(a) were somehow fixed. Then would almost never agree with H(a), so At* wouldn't know 
what to send for the last message and would have to abort. 

Unlike the case x G L, IDcfinition 51 puts no guarantees on the simulator S when x 4_ L, so it 
is possible that £>'s output (A,B,C) could be very different from (A,M){x). Regardless, as we 
show in the following key lemma, one can argue using black-box query search lower bounds that 
H(A) is on average not too concentrated even given A. 

Lemma 1 (Search reduction). Let s a := max^ Pr[H(a) = 0\A = a], where (H, A, B,C) is the 
joint distribution defined in Z . Then there is a universal constant c such that the expectation 

E a «-A>a] < ci 2 /2™ 2 . (6) 

The proof is deferred to ISection 4l 

By applying Markov's inequality to Eq. |(6)[ we obtain: 

Corollary 1. Fix S G (0, 1]. There exists a set Good C {0, l}" 1 such that: 

1. Pv{A G Good) > 1 - 6. 

,2 

2. For all a G Good, s a < -§^- 



Now continuing from Eq. |(5)[ we have 

e s > ^2 Pr i A = a ]^7 Pr [- 4 acce P ts ( a >P> ( C \ A = ct,H(a) = /?))] 

QGGood,/3 

^ Pi[A = a,H(a) = 0} 1 



^ Pr[H(a) =0\A = a] 2- Pr ^ aCCeptS {a ^ C) \ A = °> H M = $ 

c 

>— Pr[A = a, H(a) = 0] Pr [A accepts (a i i C)\A = a,H(a) = 0] (7) 

a£Good,/3 

= Pr[A accepts (A, H(A),C), A G Good] 
ct z 

> -^(Pr\A accepts (A, H(A), C)] - PrL4 4 Good]) 
ct z 

The second inequality above follows since Pr[£f (a) = 0\A = a] < s a < ^§Wj from the definition of 
s^. lLcmma 11 and since a G Good. The final inequality uses the definition q = Pr[iJ accepts x] — 
Pr[A accepts (A,H(A),C)] and |Corollary 1| Set 6 = q/2 to complete the proof of IClaim Tl and 
thus also of lThcorcm 11 □ 



4 Proof of ILemma It Reduction to search 



ILcinma Tl is proved by reducing to search, then applying a search lower bound. 

We briefly sketch the idea of the proof first. Let s := E q< _x[sq]j where s a is as in the 
statement of the lemma. For each a G {0, l}™ 1 , let 

a := arg max« Pr[H (a) = 0\A = a] . 
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(Recall the joint distribution of (H, A, B, C) from algorithm Z.) With this definition, note that 
s = Pr[H(A) = (3a\- Let (A' , B 1 , C") be the simulator 6>'s output when run on Vf, where F is 
a uniformly random function from {0, l}" 1 to {0,1}" 2 . Let s' := Pr[F(A') = @A'], where the 
probability is over both F and the simulator. First, we argue that s' = s because the set of 
random variables {H(a) : a £ {0, l}™ 1 } have sufficient independence. Next, by reduction to 
black-box search and using known quantum search lower bounds, we argue that the probability 
of the event (F(A') = @a') is 0(i 2 /2" 2 ) for any algorithm — in particular for S — that makes at 
most t queries to oracle for F and outputs A' . We now present the formal proof. 

Lemma 2. Let H be uniformly distributed in H(2i + 1) and let F be uniformly distributed over 
the set of all functions {0, l}" 1 -> {0, l}" 2 . Let A = A H £ {0, l}" 1 be the classical output, after 
measurement, of a quantum algorithm A that starts in state |0) and makes at most t oracle queries 
to H . Let A' = A F £ {0, l}™ 1 be the corresponding output when A is run on F . Then (A, H(A)) 
and (A' , F(A')) have the same distribution. In particular, Pt[H(A) = [3a] = Pr[F(A') = Pa 1 ]- 

Proof of \Lemma M The proof follows by application of the polynomial method [11, 12]. Given a 
string x = (x a ) ae{0 ,i}"i € {0,1}" 22 "\ let f x : {0, l}" 1 -> {0, l}" 2 be the function f x {a) = x a . 
It is well known that the state of the quantum query algorithm A starting at |0), after t queries 
to the oracle for function f x is 

^Pz{x)\z) , 

z 

where the coefficients p z (x) are polynomials in the binary variables x a ^ with a £ {0, l}" 1 and 
i £ [712] := {1, ■ ■ • , TI2}. A block, for any fixed a, consists of the variables x a ^ with i £ [712]. 
Also, it can be verified through standard arguments, that each p z (x) has "block degree" at most 
t, meaning that each term involves variables x a .i for at most t different a: 

d 

Pz(x) = Pz, ai ,...,a d ,s 1 ,...,s i n n X a] ^ 

d<t j = li£Sj 

ai,...,a d e{0,l}" 1 
Si,...,S d C[n 2 ] 

Therefore, for a fixed x £ {0, l}"^ 2 " 1 j on making t queries to the oracle for f x , the probability 
of output of any particular a is a polynomial of block degree at most 2t [11]. By making one 
additional query to oracle for f x , one can instead output (a, x a ), which increases the block degree 
by at most one. That is, the probability of output (a, polynomial of block degree at 

most 2t + 1. Averaging this polynomial over the oracle being H gives the same probability as 
averaging over F by strong (2t + l)-universality. In either case, the variables x a are (2t + l)-wise 
independent and uniform. Therefore, (A,H(A)) and (A' , F(A')) have the same distribution. □ 

Lemma 3. Let F be uniformly distributed over the set of all functions {0, l}" 1 — > {0, l}™ 2 . Fix 
a sequence (/?a) Q 6{o,i}"i of elements 0/ {0, l}™ 2 . Let A £ {0, l}" 1 be the classical output, after 
measurement, of a quantum algorithm A that starts in state |0) and makes at most t oracle 
queries to F. 

PiiF(A)=f3 A }=0(t 2 /2 n >) . (8) 

Remark 1. We state without proof that if A in \Lemma 3\ was a classical algorithm making at 
most t oracle queries to F, then we would have the stronger statement Pr[F(A) = Pa] = 0(t/2 n2 ) . 
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Proof of \Lemma S\ Let S := {x G {0, l} 2 2 : x has a 1 in exactly one position}. Let X be a 
random variable uniformly distributed in S. Standard search lower bounds imply that with t 
oracle queries to the bits of X, the probability of a quantum algorithm to find the location of 
the 1 is 0(i 2 /2' 12 ) [11]. (The same bound for a classical algorithm is 0(t/2 n2 ).) 

Now algorithm A can be used to construct an algorithm B for finding the 1 in X as follows: 

Algorithm B: Fix G a function chosen uniformly from the set of all functions from 
{0, l}™ -1 to {0,1}" 2 . For each a G {0, l}" 1 , fix Z a a string chosen uniformly from 
{0,1}" 2 \ {&*}■ Define, 



F(a) 




if ^G(a) — 1 

ifX G(a) =0 



Note that F : {0, l}™ 1 — * {0, l}™ 2 is a uniformly random function, when averaged over 
the choices of X, G and the Z a s. Now run A. When A makes a query to a G {0, l}" 1 , 
return F(a)0 When A stops, measure A's output A', and output G(A'). 

From the above construction, finding (3 a in F implies finding a 1 in X. Moreover, since A makes 
at most t queries to F, B makes at most 2t queries to X. Therefore, 

Pr[F(A') - fa] = Pr[X(G(A')) = 1] = 0(t 2 /2" 2 ) . 

□ 

Proof of \Lemma 1[ Recall the joint distribution of (H, A, B, C) from the algorithm Z. ILemma Tl 
now follows from above two lemmas by setting A := S. j3 a := arg max^ Pr[H(a) = (3\A = a] and 
observing that E Q ^ y i[s Q ] = Pt[H(A) = [3a], where s a is as in the statement of thc lLcmma 11 □ 



5 Three-round QIP protocols 

The extension of lThcorcm ll to a three-round interactive proof (V,V), follows on similar lines as 
the three-round QAM case, with a few differences that we will highlight. Let us first introduce 
the notation for this section. 

Notation: In an interactive proof, the honest verifier V is given coins R drawn uniformly at 
random from {0, 1}™ C at the beginning of the protocol. For a string r, let V r : {0, l}™ 1 — * {0, l}™ 2 
be the function determining verifier's V's response to the prover's first message, when the coins 
are fixed to r. We will also write "V accepts" to mean that V's predicate with coins r accepts. 
For a function h : {0, l}" 1 — » {0, 1}™ C , define the dishonest verifier Vh to behave exactly as the 
honest verifier V does with coins h(a), where a is the prover's first message. In particular, Vh 
responds to message a with V h ^(a). VVs view of the interaction therefore consists of the two 
messages from the provcr. 

The result for this section is: 

Theorem 2. Let L be a language with a three-round interactive protocol Tl, with possibly the 
last message from prover being quantum, having completeness and soundness errors e c and e S! 
respectively. Assume that II is a black-box, quantum computational zero-knowledge protocol. Let 
S be the simulator with a running time bounded by t. Lf ' t-Jel = o(l — e c — ncgl(n,)), then L is in 
BQP. 

5 This response can be implemented in superposition, using at most two oracle queries to X: choose j3 a or Z t 
depending on Xo( a ), then uncompute Xc(a)- It is not necessarily efficient, except in terms of oracle queries. 
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Proof. The proof of lThcorcm 21 is similar to that of lThcorcm 11 with some modifications to the 
algorithm and the cheating prover. The new efficient algorithm Z' for language L is: 



Algorithm Z'\ Input x £ {0,1}™, Output accept /reject. 

1. Choose H uniformly at random from H(2t + 1). Run S (with input x) on 
Vh and measure its output corresponding to the first message from V in the 
computational basis to obtain the classical random variable A. Let C be the 
output of iS corresponding to the last message from V. 

2. Accept if and only if V ff(j4) accepts the transcript (A, V H{A) {A), C). 



As before we have the following claim: 

Claim 2. For x £ L, Pr[Z' accepts x] > 1 — e c — negl(n). For x ^ L, Pr[Z' accepts x] = 0(t^/el). 

It is easy to verify that the algorithm Z' runs in polynomial time. IThcorcm 21 then follows 
immediately from lClaim 21 □ 

Proof of \Claim~!h The case x £ L goes along similar lines as in the proof of lThcorcm H and we 
skip the details for brevity. 

Consider the case x £ L. Let B := (A). Algorithm Z' defines a joint distribution for 

(H, A, B, C). Let F be chosen uniformly from the set of all functions from {0, l}™ 1 to {0, 1}™ C . 
Run the simulator S on Vf and let A', C be its outputs analogous to A, C. Let B' := V F ^ A \A'). 
Since S makes at most t queries, using arguments as in proof of lLcmma 21 we have, 

q := Pr[Z' accepts x] = Pr[V H{A) accepts (A, B, C)) 

= Pr[V F(yL,) accepts (A', B', C')] . (9) 

The main property that we need to observe in this case is: 

Lemma 4. For all a G {0, l}" 1 and f3 € {0,1}" 2 , the random variables F(a)\(A' =a,B' = f3) 
and C'\(A! = a,B' = (3) are independent. In other words, for all a € {0, l}™ 1 , we have following 
Markov network^ 

(F(a)\A' =a)-* (B'\A' = a) -* (C'\A' = a) . 

Proof. Let N := 2" 1 . For every a £ {0, l}" 1 , define the random variable Y(a) := V p ' a '(at), so 
B' = Y(A'). Note that the simulator S, while querying Vf, has oracle access only to the random 
function Y : {0, l}" 1 -> {0, l}™ 2 and not directly to the random function F : {0, l}™ 1 -> {0, 1}™-. 
Therefore the following is a Markov network: 

(F(1)F(2) . . . F(N)) - (y(l)F(2) . . . Y(N)) - (A 1 , C) . 

The random variables (^(1)^(2) . . . F(N)) are all independent of each other. Also, since for each 
a, Y(a) is a function only of a and F(a), the random variables (Y(1)Y(2) . . . Y(N)) are also all 
independent of each other. Therefore for every a £ {0, l}" 1 we also have the following Markov 
network: 

F(a)^Y(a)^(A',C) , 
which remains a Markov network if we condition each variable on A' = a, as claimed. □ 



The random variables X, Y, Z taking values in X, y, Z are said to form a Markov network X — > Y — > Z if for 
y £ y the random variables X\(Y = y) and Z\(Y = y) are independent. 
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Exactly on the lines of lLcmma 11 search lower bounds imply: 

Lemma 5. Let s a := max re {o,i}"<= Pr[F(a) — r\A' — a], where (F,A',B',C) is the joint 
distribution defined as above. Then there is a universal constant c such that the expectation 

V a ^ A ,{s a ]<ct 2 /2 n c . (10) 

Applying Markov's inequality to Eq. |(10)| gives: 
Corollary 2. Fix 5 6 (0, 1]. There exists a set Good C {0, l}" 1 such that: 

1. Px{A' g Good) > 1 - S. 

2. For all a g Good, s a < -j^. 

Now define the cheating prover V* as: 

Cheating prover V*: Recall the joint distribution (F, A' , B 1 ,C) defined earlier. 

1. On input x, send a drawn from A' . 

2. On receiving the honest verifier V's message /3, send back message to V, 
distributed according to C"|(A' = a, B' = /3). 

Now the cheating probability of V* is Pr[V accepts (V,V*)(x)}. Therefore, 

e s > Pr[V accepts (V,V*)(x)} 

J2 Pr[A' = a}^-Pr[V r accepts (a, V r (a), (C'\A> =a,B' = V r (a)))] 

(a,r)e{0,l}™i+™<= 

> J2 Pi-[^' = a]^-Pr[Vaccepts(a,V r (a),(C"|A'=a,S' = V r (a)))] 

a£Good,r 

= E P pf F \T^=a] 2^ Pl ' [Vr aCC6ptS (Q ' V>) ' iC ' lA ' = a > B ' = Vr(Q)))] 
>_ Pr[A' = a,F(a) = r] Pr[V accepts (a,V r (a),(C'\A' = a, B' = V r (a)))} 

a(EGood,r 

= — Pi'[A' = a,F(a) = r]Pr[V r acccpts(a,V r (a),(C"|A' = a,F(a)=r))] 

a<EGood,r 

= — Y Pi'[A' = a,F(a) = r,V r acccpts(a,V r (a),(C* , |^' = a,F(a)=r))] 

a<EGood,r 

= -4Pr[V f(A,) accepts (A',B',C'),A' g Good] 
ct z 

= A-(Pr[V F{A,) accepts (A',B',C)} - Pr[A' <£ Good]) 
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The third inequality above follows since Pr[F(a) = r\a' = a] < s a < (from Corollary 2 the 



definition of s a , and since a e Good). The third equality above follows since from ILcmma 41 

(C'\A' =a,B' = V r (a)) = (C'\A' = a, F{a) =r,B' = V r (a)) = (C'\A' = a, F{a) = r) . 

The final inequality uses Eq. |(9)| and |Corollary 2| Set 8 = q/2 to complete the proof of IClaim~2l 
and thus also of lThcorcm 21 □ 

Remark 2. While we extend the three-round QAM proof to constant-round QAM protocols, as 
in \Section 6\ this proof for three-round QIP protocols cannot be similarly extended. The proof 
would only work for constant-round QIP protocols if the honest verifier were guaranteed to use 
independent randomness to determine his response in each round. The proof breaks down if it 
refers to the same randomness for different messages. In that case, the black-box simulator's 
output transcript need not only depend on the verifier's messages. It may depend directly on the 
randomness behind that message, and so the analog to \Lemma J\ would be false. 

6 Constant-round QAM protocols with only the last mes- 
sage quantum 

In this section, we extend IThcorcm 11 for three-round QAM protocols to (2k + l)-round QAM 
protocols with all but the last message classical, for k any constant. 

Theorem 3. Let k be a fixed positive integer. Let L be a language with a (2k + l)-round QAM 
protocol II, with all but the last message classical, having completeness and soundness errors 
e c and e s , respectively. Assume that II is a black-box, quantum computational zero-knowledge 
protocol. Let S be the simulator with a running time bounded by t. If (i 2 ^) 1 ' = o(l — e c — 
negl(n)), then L is in BQP. 

Proof. Assume without loss of generality that the first message is from the prover M.. We will 
use the following notation. 

Notation: For an indexed variable Xi, let x\ denote the j-tuple (x\, X2, ■ ■ ■ , Xj). Let Hi be the 
length of the ith message in the protocol. For each i E [k], let Hj be a strongly (2t + l)-universal 
family of efficiently computable hash functions {0, l} Ni — ► {0, 1}™ 2 % with JVj = ni+ri2+- ■ -+n2i-i 
and a t to be specified later ([Definition 8j) . We will use a\ , . . . , a^k to denote classical messages of 
the first 2j rounds. For hash functions, h\ := (hi, . . . , hk) £ Ii x ■ ■ ■ x Eh,, let A h k represent the 

deterministic dishonest Arthur who returns /ii(a^ 8-1 ) as the (2i)th message when the transcript 
of the first 2i — 1 messages is a 2 * -1 . 

Black-box access is modeled by giving the simulator S access to k oracles, evaluating the k 
hash functions (on arbitrary inputs). The oracle Uhi takes 

|x)|a)|6) -> \c)\x)\a®hi{x))\b) 

Equivalently, the simulator can be given a single oracle that takes as input also the round number 
to apply the appropriate hash function. 

Let the random variables Hi be uniformly and independently distributed over Mi. : = 
(Hi, . . . , Hk). Let (Ai, A 3 , . . . , A 2 k+i) be the simulator S's output for Arthur's view, correspond- 
ing to the prover 's messages only, when run on the random verifier A H k . (Ai , A3, . . . , Aik-\ are 
random classical messages, while A 2 k+i is a random density matrix.) Let A 2 i = H i (A'l''~ 1 ), so 
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Af +1 := (Ai, A 2 , . . . , A 2 k+i). Thus running S on A H k overall defines a joint distribution over 
{H k ,A 2k+1 ). As in the three-round case, our algorithm Z for deciding L is: 



Algorithm Z: On input x, using the simulator S, sample from the distribution 
A\ . Accept if and only if the sampled message satisfies Arthur's acceptance 
predicate. 



Our main claim will be: 

Claim 3. For x £ L, Pr[Z accepts x] > 1 — e c — negl(n). For x (f. L, Pi[Z accepts x] = 
0((t 2k e s ) 1 /^). 

Algorithm Z runs in polynomial time, since 5, choosing and evaluating various hash functions, 
and Arthur's acceptance predicate are all efficient. Therefore, ITheorem 31 follows immediately 
from IClaim 3l □ 

Proof of \Claim~^ Let 

q := Pt[Z accepts a:] = Pr[A accepts A 2k+1 ] . (11) 

For x € L, Z accepts with good probability by the computational zero knowledge assumption 
and by averaging over the hash functions, as in ITheorem 11 We skip the details for brevity and 
focus on the x ^ L case. Define a cheating Merlin A4* as follows: 



Cheating Merlin Ai*: If the transcript so far is af, send the next message 
according to the distribution of A 2 i+i\(Af = af). 



The cheating probability of M* is Pr[_4 accepts (A, Ai*)(x)]. Therefore, 

e s > Pr[A accepts (A,M*) (x)] 

J2 hr[A 1 = a 1 }^Pv[A 3 =a 3 \Al = al]---^Pv[A 2k+1 =a 2k+1 \A 2 l k = af] 
a f +1 e{o,i} JYfc+1 \ x Pr[A accepts af +1 ] 



Let 

a 2l {af- 1 ) := arg max Q2! Pr[A 2i = a^Af' 1 = af' 1 ] . 
Then using arguments involving search lower bounds as in lLcmma 31 we can similarly conclude: 

for some constant c. Let 8 <G (0, 1]. By Markov's inequality, for all i E [k], there exists Good^ C 
{0,1}^, such that: 

1. Pr[Af - 1 e Good,] > 1 - 6. 

2. For all af" 1 e Good,, Pv[A 2i = a 2i (Af ~^)\ Af - 1 = af' 1 } < 



16 



Let Good = n*=i Goodj x {0, lj-^+i-JV^ Then 

Pr[Al k+1 G Good] > 1 - kS . (13) 

Now from Eq. |(12)[ we have: 

Pr[Ai = ai ] JL p r [A 3 = a 3 \Al = a 2 1 ]--~ Pr[A 2k+1 = a 2k+1 \Af = «?*] 

x Pr[„4 accepts af k+1 ]^ 
(4, Pr[A 2 = a 2 |Ai = ai]) ■ • • (-4 Pr[A 2fe = a 2fc |Af - 1 = af ~ x ])> 




x Pr[Ai = ai]Pr[A 3 = a 3 |Af = af] • ■ ■ PrL4 2fe+1 = a 2k+1 \A( 



2k 2/cl 



1 

x Pr[A accepts a\ k+1 ] 



= ( -4 ) Pr[-4 accepts Af +\ Af +1 € Good] 



> ( _^_J (p r [^4 accepts Af +1 ] - Pr[Af +1 £ Good]) 



The first inequality is by restricting the sum to good transcripts, and inserting terms 62 J* Pr[A 2 j = 
a 2l (Af- 1 )\A 2 1 l ~ 1 = af' 1 ] < 1. (Compare to Eq.[(7)|) The last inequality follows from Eq. (TTJ 
and Eq. (fT3"|) . Setting J = q/(2k), completes the proof. □ 

Remark 3. This proof would not have gone through had we defined A 2 i = i?i(A 2 £_i); it is 
necessary to hash the entire preceding transcript A 2 i = H^A 21-1 ) (as in [1]), in order to put an 
upper bound on Pr[A 2t = o^Af -1 = af' 1 ] < Pr[A 2i = a 2t (A 2i _1 )| Af _1 = of -1 ]. 



7 Open problems 

Many open problems remain related to this work. We would like to be able to analyze protocols 
with more "quantum-ness." For example, what can one say about three-round interactive proofs 
with classical messages but a quantum verifier? Here the honest verifier may not even have 
any private coins, but instead may use quantum mechanics to randomize. Since the verifier's 
response will no longer be a deterministic function V r (a) of its coins r and the first message a, 
our approach of setting the coins equal to a function h(a) will not make sense. 

Also, we would like to understand QAM protocols in which all the prover's messages are 
quantum. The problem currently is that hashing the first message (say, in the computational 
basis) collapses its state. Therefore it is no longer true that the honest-verifier transcript is the 
same as the average of the hash-function verifiers transcripts, so the key equality in the x G L 
case, Eq. |(4)| will no longer hold. 
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